Network Access Security It's Broke, Now What? June 15, 2010

Size: px
Start display at page:

Download "Network Access Security It's Broke, Now What? June 15, 2010"

Transcription

1 Network Access Security It's Broke, Now What? June 15, 2010 Jeffrey L Carrell Network Security Consultant Network Conversions SHARKFEST 10 Stanford University June 14-17, 2010

2 Network Access Security It's Broke, Now What? Access Problems on the Network How to Solve It How to Enhance It Now it Works Now it s Broken

3 Network Access Security It's Broke, Now What? The Issue: Open Access LAN Switch Ports Authentication of Users and End-point Devices on a LAN Enhanced Policy Decisions after Initial Authentication Network Access Control/Protection Components of a Secure Access System Demonstration of an 802.1X System

4 The Issue: Open Access LAN Switch Ports Are there open or available LAN Switch ports? Can the client device get an IP address? Can the client gain any access to network? If so, then there is the possibility of network attacks attacks to network infrastructure devices (switches, APs) attacks to network resources (servers, etc) attacks to end-user computers virus, trojan, and other malware distribution use of network for malicious network attacks -inside and/or outside data privacy exploits

5 Controlling Access to the Network Lock down LAN switch ports with configuration that requires all connections to the switch to authenticate Users Authenticate providing userid/password credentials can be automated for single sign-on Devices Authenticate VoIP phones Printers Surveillance Cameras

6 Authentication of Users and End-point Devices on a LAN Authentication System for End-point Devices on a Local Area Network IEEE 802.1X The Challenge -Adding VoIP Phones to the Secure Network RFC-4675 Enhancements to IEEE 802.1X

7 What is IEEE 802.1X? IEEE 802.1X is a standards based mechanism allowing users and end-point devices to authenticate in order to gain network access Foundation relies on the Remote Authentication Dial- In User Service (RADIUS) networking protocol for Authentication, Authorization and Accounting (AAA) management Devices communicate via the Extensible Authentication Protocol over LAN (EAP-OL) -a Layer 2 communication to the authenticator

8 Why IEEE 802.1X? 802.1X controlled switch ports block normal traffic by default until authentication is verified using a RADIUS server and EAP For specific user authentication, RADIUS server can provide VLAN ID (VID) to switch 802.1X does not specify what EAP type is used, as long as the supplicant and authentication server agree on an EAP method 802.1X is an IEEE standard and therefore provides interoperability between standards-based network access equipment, authentication servers, and client supplicants

9 Components of an 802.1X System Supplicant Authenticator Authentication Clients 802.1X enabled AP Clients 802.1X enabled switch RADIUS User Database

10 Authentication Microsoft IAS (Windows 2000/2003) Microsoft NPS (Windows 2008) Juniper Networks Steel-Belted Radius (multiple server platforms) FreeRADIUS (many linux server platforms) Other RADIUS conforming to RFC s RFC 2284 PPP Extensible Authentication Protocol (EAP) RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2869 RADIUS Extensions * not an exhaustive list

11 Authenticator 802.1X Enabled LAN Switch 802.1X Enabled Wireless Access Point (generally requires enterprise-class devices)

12 Supplicant Microsoft WinXP, Vista, Win7 Apple Mac OS X Juniper Networks Odyssey Access Client (Windows, Red Hat Linux) Open Source - Open1X (Windows, Linux) Network Printers (built-in) VoIP Phones (built-in) LAN Switch (built-in) Wireless Access Point (built-in) Client MUST be configured for the same EAP type supported on the Authentication * not an exhaustive list

13 EAP types EAP-MD5 least secure most commonly supported on VoIP phones Protected EAP (EAP-PEAP) more secure, can use digital certificate on end-point EAP-Tunneled TLS (EAP-TTLS) more secure, can use digital certificate on end-point EAP-Transport Layer Security (EAP-TLS) most secure, requires digital certificate on end-point

14 802.1X Communications Flow Supplicant Authenticator Authentication Port is blocked (unauthorized) EAP Identity Request EAP Identity Response EAP Access Challenge EAP Identity Response EAP Success RADIUS Access Request RADIUS Access Challenge RADIUS Access Request RADIUS Access Accept Port is opened (authorized)

15 Switch Port States in 802.1X A port that has been configured to require 802.1X authentication has two states: Unauthorized no authorized client has connected to the port, or client has failed authentication Authorized connected client has supplied valid credentials and has been authenticated When a port is in the unauthorizedstate, only EAP traffic is allowed When a port is in the authorizedstate, traffic is forwarded normally

16 VLAN Assignment of Switch Port RADIUS can send attributes to the switch which could define a specific VLAN the port is assigned to based on the user credentials If RADIUS doesn t provide VLAN attributes, switch port could be assigned to authorized VID If RADIUS doesn t provide VLAN attributes and the authorized VID is not defined, then the switch opens the port using the statically assigned VID of that port * for the duration of that authorized users session

17 The Challenge -Adding VoIP Phones to the Secure Network Some manufacturers VoIP phones support 802.1X with a built-in supplicant, but generally only a few in their product lines if so, then a matching RADIUS remote access policy can be configured to support the VoIP phone Without RFC-4675, dynamic 802.1Q (tag) VID assignment from RADIUS is not possible If the VoIP phone doesn t have a supplicant, difficult to support 802.1X authentication some LAN switch manufacturers support alternate 802.1X authentication methods, such as MAC Auth & WEB Auth

18 RFC-4675 Enhancements to 802.1X RADIUS can specify tag ports (for VoIP phones) RADIUS can specify VLAN name to switch Is supported on: FreeRADIUS v May require LAN switch software upgrade

19 Configuring a Microsoft Based System for 802.1X Active Directory userid(s) must have remote access permission enabled IAS/NPS define each authenticator as RADIUS client define remote access policies for users LAN Switch and/or AP configure RADIUS server definition configure specific ports/wlans to support 802.1X Client Supplicant configure EAP type used for authentication

20 Enhanced Policy Decisions after Initial Authentication A mechanism to apply additional policy based rules to validate a user s level of access into the network Executes after initial 802.1X authentication Policy components may include: where is the user/device in the network when is the user/device on the network integrity of the computer or device

21 TCG/Microsoft/IETF Architectures What is it? Posture Collector Third-party software that runs on the client and collects TCG TNC Integrity Microsoft NAP System information on security status and applications, such as is A/V enabled and upto-date? Measureme Health nt Collector Agent Client Broker "Middleware" that runs on the client and talks to the Posture Collectors, collecting their data, and passing it down to Network Access Requestor. In product form, this is generally bundled with the Network Access Requestor. Network Access Requestor Software that connects the client to network. Examples might be 802.1X supplicant or IPSec VPN client. Used to authenticate the user, but also as a conduit for Posture Collector data to make it to the other side. TNC Client Network Access Requestor NAP Agent NAP Enforcement Client IETF NEA Posture Collector Posture Broker Client Posture Transport Client Posture Collector Client Broker Network Access Requestor Network Enforcement Point Posture Validator Broker Network Access Authority What is it? Network Enforcement Point Component within the network that TCG TNC Policy Microsoft NAP NAP enforces policy, typically an 802.1X-capable switch or WLAN, VPN Enforcement Enforcement gateway, or firewall. Point Posture Validator Third-party software that receives status information from Posture Collectors on clients and validates the status information against stated network policy, returning a status to the Broker. Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority. Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Network Enforcement Point. Integrity Measureme nt Verifier TNC Network Access Authority System Health Validator NAP Administration Network Policy IETF NEA Intermediar y Devices Posture Validator Posture Broker Posture Transport this slide from Interop ilabs NAC Team - used with permission

22 Enhanced Policy Decisions Example Policy Faculty User Faculty Access Policy Group Access Rule 1 full access for faculty user Class Room M-F 7A-6P Assigned Device Faculty WLAN Latest DEFs Access Profile VLAN 20 Settings QoS B/W Network Access Rule (ACL) access to faculty systems Network Access Rule (ACL) access to campus system Access Rule 2 limited access for faculty user Cafeteria Anytime Assigned Device Faculty WLAN Latest DEFs Access Profile VLAN 30 Settings QoS B/W Network Access Rule (ACL) no access to faculty systems Network Access Rule (ACL) access to campus system

23 Enhanced Policy Decisions Communications Flow Supplicant Authenticator Authentication with Radius Agent Port is blocked (unauthorized) EAP Identity Request EAP Identity Response EAP Access Challenge EAP Identity Response EAP Success RADIUS Access Request RADIUS Access Challenge RADIUS Access Request Policy Decision RADIUS Access modifies RADIUS Reply Accept Port is opened (authorized)

24 Network Access Control/Protection Before authentication and possible policy decision * Provides Endpoint Integrity Assessment Verify OS updates & hot fixes/service packs Verify security applications are running and up-to-date Provides Endpoint Integrity Enforcement Quarantines access for remediation to NAC/NAP policy compliance Restrict access for non-compliance * Some NAC/NAP Systems include these functions

25 Network Access Control/Protection 3 Primary client testing options Agent least user interaction ActiveX requires user to launch browser Agentless limited function 3 Types of Endpoint Integrity Assessment Tests Inline NAC/NAP server in the flow of traffic DHCP NAC/NAP server intercepts DHCP request 802.1X authentication required

26 Endpoint Integrity Assessment Test Inline NAC/NAP server in the flow of traffic NAC/NAP DHCP NAC/NAP Agent

27 Endpoint Integrity Assessment Test DHCP NAC/NAP server intercepts DHCP request NAC/NAP DHCP NAC/NAP Agent

28 Endpoint Integrity Assessment Test 802.1X Authentication required Authentication NAC/NAP Supplicant NAC/NAP Agent Authenticator User Database

29 Components of a Secure Access System Authentication Policy Enforcement NAC/NAP Supplicant NAC/NAP Agent Authenticator User Database

30 Demonstration of an 802.1X System Supplicant Authenticator Authentication Win X enabled switch RADIUS User Database Win7 Mitel 5212 ProCurve 3500yl-24G W2K8/NPS W2K8/AD

31 Of Course We Have Captures! Successful client authentication Failed client authentication

32 Successful Client Authentication, w/vlan Assignment

33 Successful Client Authentication, but Fail on Switch RADIUS provided VID, switch did not have that specific VID configured Fri Jun 04 13:44: : <12> Jun 4 13:44: dca: 8021X client, RADIUSassigned VID validation error. MAC E port 17 VLAN-Id 0 or unknown.

34 Unsuccessful Authentication: no Supplicant Enabled on Client

35 Fail-Client Configured for Incorrect EAP Type

36 Fail-Client Configured for Incorrect EAP Type Level Date and Time Source Event ID Task Category Information 06/13/ :33:38 Microsoft-Windows-Security-Auditing 6275 Network Policy "Network Policy discarded the accounting request for a user. Contact the Network Policy administrator for more information. User: Client Machine: NAS: RADIUS Client: Security ID: NULL SID Account Name: procurve Account Domain: - Fully Qualified Account Name: - Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: B D8 NAS IPv4 Address: NAS IPv6 Address: - NAS Identifier: ProCurve_3524G NAS Port-Type: - NAS Port: 13 Client Friendly Name: ProCurve_3524G_a Client IP Address: Authentication Details: Proxy Policy Name: - Network Policy Name: - Authentication Provider: - Authentication : server01.traversalabs.com Authentication Type: - EAP Type: - Account Session Identifier: Reason Code: 49 Reason: connection attempt did not match any connection request policy. " The

37 Fail-No Client Defined in RADIUS for this Authenticator

38 Fail-no Radius Connection Policy Match

39 Fail-no Radius Network Policy Match

40 Captures Isn t All So, where can you look to troubleshoot if the captures don t tell the whole story? Look at RADIUS logs Event Viewer in W2K0/3/8 Look at switch logs Look at client Logs Event Viewer

41 Network Access Security It's Broke, Now What? Thank You for Attending! Jeffrey L Carrell Network Security Consultant

UNDERSTANDING IDENTITY-BASED NETWORKING SERVICES AUTHENTICATION AND POLICY ENFORCEMENT

UNDERSTANDING IDENTITY-BASED NETWORKING SERVICES AUTHENTICATION AND POLICY ENFORCEMENT UNDERSTANDING IDENTITY-BASED NETWORKING SERVICES AUTHENTICATION AND POLICY ENFORCEMENT John Stone CTO Cisco Systems Internetworking Ireland jstone@cisco.com 2005 Cisco Systems, Inc. All rights reserved.

More information

Using IEEE 802.1x to Enhance Network Security

Using IEEE 802.1x to Enhance Network Security Using IEEE 802.1x to Enhance Network Security Table of Contents Introduction...2 Terms and Technology...2 Understanding 802.1x...3 Introduction...3 802.1x Authentication Process...3 Before Authentication...3

More information

NETWORK ACCESS CONTROL

NETWORK ACCESS CONTROL RIVIER ACADEMIC JOURNAL, VOLUME 3, NUMBER 2, FALL 2007 NETWORK ACCESS CONTROL Arti Sood * Graduate Student, M.S. in Computer Science Program, Rivier College Abstract Computers connected to the Internet

More information

Network Access Control ProCurve and Microsoft NAP Integration

Network Access Control ProCurve and Microsoft NAP Integration HP ProCurve Networking Network Access Control ProCurve and Microsoft NAP Integration Abstract...2 Foundation...3 Network Access Control basics...4 ProCurve Identity Driven Manager overview...5 Microsoft

More information

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and

More information

Securing the University Network

Securing the University Network Securing the University Network Abstract Endpoint policy compliance solutions take either a network-centric or device-centric approach to solving the problem. The body of this paper addresses these two

More information

Microsoft Windows Server System White Paper

Microsoft Windows Server System White Paper Introduction to Network Access Protection Microsoft Corporation Published: June 2004, Updated: May 2006 Abstract Network Access Protection, a platform for Microsoft Windows Server "Longhorn" (now in beta

More information

VLANs. Application Note

VLANs. Application Note VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static

More information

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?

More information

x900 Switch Access Requestor

x900 Switch Access Requestor Network Security Solutions Implementing Network Access Control (NAC) Tested Solution: Protecting your network with Microsoft Network Access Protection (NAP) and Switches Today s networks increasingly require

More information

Policy Management: The Avenda Approach To An Essential Network Service

Policy Management: The Avenda Approach To An Essential Network Service End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda

More information

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview Deployment models C H A P T E R 6 Implementing Network

More information

Implementation of IEEE 802.1X in wired networks

Implementation of IEEE 802.1X in wired networks Implementation of IEEE 802.1X in wired networks Best Practice Document Produced by UNINETT led working group on security (UFS 133) Authors: Øystein Gyland, Tom Myren, Rune Sydskjør, Gunnar Bøe March 2013

More information

Network Access Control (NAC) and Network Security Standards

Network Access Control (NAC) and Network Security Standards Network Control (NAC) and Network Security Standards Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #1 Agenda Goals of NAC Standards What

More information

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges

More information

HP ProCurve Identity Driven Manager 3.0

HP ProCurve Identity Driven Manager 3.0 Product overview HP ProCurve Identity Driven Manager (IDM), a plug-in to HP ProCurve Manager Plus, dynamically provisions network security and performance settings based on user, device, location, time,

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU ITMS: 26140230008 DOPYTOVO ORIENTOVANÝ PROJEKT Moderné

More information

On-boarding and Provisioning with Cisco Identity Services Engine

On-boarding and Provisioning with Cisco Identity Services Engine On-boarding and Provisioning with Cisco Identity Services Engine Secure Access How-To Guide Series Date: April 2012 Author: Imran Bashir Table of Contents Overview... 3 Scenario Overview... 4 Dual SSID

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

» WHITE PAPER. 802.1X and NAC: Best Practices for Effective Network Access Control. www.bradfordnetworks.com

» WHITE PAPER. 802.1X and NAC: Best Practices for Effective Network Access Control. www.bradfordnetworks.com » WHITE PAPER 802.1X and NAC: Best Practices for Effective Network Access Control White Paper» 802.1X and NAC: Best Practices for Effective Network Access Control 1 IEEE 802.1X is an IEEE (Institute of

More information

The Importance of Standards to Network Access Control

The Importance of Standards to Network Access Control White Paper The Importance of Standards to Network Access Control Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net Part Number:

More information

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches print email Article ID: 4941 Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches Objective In an ever-changing business environment, your

More information

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

WiNG5 CAPTIVE PORTAL DESIGN GUIDE WiNG5 DESIGN GUIDE By Sriram Venkiteswaran WiNG5 CAPTIVE PORTAL DESIGN GUIDE June, 2011 TABLE OF CONTENTS HEADING STYLE Introduction To Captive Portal... 1 Overview... 1 Common Applications... 1 Authenticated

More information

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published: 2015-02-10

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published: 2015-02-10 Pulse Policy Secure RADIUS Server Management Guide Product Release 5.1 Document Revision 1.0 Published: 2015-02-10 2015 by Pulse Secure, LLC. All rights reserved iii Pulse Secure, LLC 2700 Zanker Road,

More information

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Bypassing Network Access Control Systems

Bypassing Network Access Control Systems 1 Bypassing Network Access Control Systems Ofir Arkin, CTO Blackhat USA 2006 ofir.arkin@insightix.com http://www.insightix.com 2 What this talk is about? Introduction to NAC The components of a NAC solution

More information

WIRELESS NETWORK SECURITY

WIRELESS NETWORK SECURITY WIRELESS NETWORK SECURITY Much attention has been focused recently on the security aspects of existing Wi-Fi (IEEE 802.11) wireless LAN systems. The rapid growth and deployment of these systems into a

More information

Cisco Secure Access Control Server 4.2 for Windows

Cisco Secure Access Control Server 4.2 for Windows Cisco Secure Access Control Server 4.2 for Windows Overview Q. What is Cisco Secure Access Control Server (ACS)? A. Cisco Secure ACS is a highly scalable, high-performance access control server that operates

More information

Sygate Secure Enterprise and Alcatel

Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and

More information

POLICY SECURE FOR UNIFIED ACCESS CONTROL

POLICY SECURE FOR UNIFIED ACCESS CONTROL White Paper POLICY SECURE FOR UNIFIED ACCESS CONTROL Enabling Identity, Role, and Device-Based Access Control in a Simply Connected Network Copyright 2014, Pulse Secure LLC 1 Table of Contents Executive

More information

vwlan External RADIUS 802.1x Authentication

vwlan External RADIUS 802.1x Authentication 6ABSCG0002-29B July 2013 Configuration Guide vwlan External RADIUS 802.1x Authentication This configuration guide provides an in-depth look at external Remote Authentication Dial-In User Service (RADIUS)

More information

Configuring Windows Server 2008 Network Infrastructure

Configuring Windows Server 2008 Network Infrastructure Configuring Windows Server 2008 Network Infrastructure Course Number: 70-642 Certification Exam This course is preparation for the Microsoft Technical Specialist (TS) exam, Exam 70-642: TS: Windows Server

More information

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists Cisco TrustSec How-To Guide: Planning and Predeployment Checklists For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents...

More information

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer Orchestrated Security Network Automated, Event Driven Network Security Ralph Wanders Consulting Systems Engineer Orchestrated Security Network! " TCG/ TNC Architecture! " IF-MAP! " Use cases of IF-MAP!

More information

Technical Note. CounterACT: 802.1X and Network Access Control

Technical Note. CounterACT: 802.1X and Network Access Control CounterACT: 802.1X and Contents Introduction...3 What is 802.1X?...3 Key Concepts.... 3 Protocol Operation...4 What is NAC?...4 Key Objectives.... 5 NAC Capabilities.... 5 The Role of 802.1X in NAC...6

More information

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents Contents 4 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Contents Overview...................................................... 4-3 RADIUS Overview...........................................

More information

Belnet Networking Conference 2013

Belnet Networking Conference 2013 Belnet Networking Conference 2013 Thursday 12 December 2013 @ http://events.belnet.be Workshop roaming services: eduroam / govroam Belnet Aris Adamantiadis, Nicolas Loriau Bruxelles 05 December 2013 Agenda

More information

70-642 R4: Configuring Windows Server 2008 Network Infrastructure

70-642 R4: Configuring Windows Server 2008 Network Infrastructure 70-642 R4: Configuring Windows Server 2008 Network Infrastructure Course Introduction Chapter 01 - Understanding and Configuring IP Lesson: Introducing the OSI Model Understanding the Network Layers OSI

More information

RAD-Series RADIUS Server Version 7.1

RAD-Series RADIUS Server Version 7.1 RAD-Series RADIUS Server Version 7.1 Highly Customizable RADIUS Server for Controlling Access & Security in Wireless & Wired Networks Interlink Networks RAD-Series Authentication Authorization, and Accounting

More information

Introduction to Endpoint Security

Introduction to Endpoint Security Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user

More information

IDM and Endpoint Integrity Technical Overview

IDM and Endpoint Integrity Technical Overview ProCurve ing by HP IDM and Endpoint Integrity Technical Overview The Threats to Today s ing Environments... 2 Endpoint Integrity Defined... 2 Endpoint Integrity Options... 2 The ProCurve Solution: Endpoint

More information

Models HP IMC Smart Connect Edition Virtual Appliance Software E-LTU

Models HP IMC Smart Connect Edition Virtual Appliance Software E-LTU Models HP IMC Smart Connect Edition Virtual Appliance Software E-LTU JG659AAE Key features Identity-based access, advanced device profiling, and real-time traffic quarantining Converged network support

More information

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks. Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted

More information

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

MOC 6435A Designing a Windows Server 2008 Network Infrastructure MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

Odyssey Access Client

Odyssey Access Client Odyssey Access Client Data Sheet Published Date June 2015 Product Overview As the demand to enable users to work from anywhere, at anytime increases, so does the need for secure network accessibility and

More information

TrustSec How-To Guide: On-boarding and Provisioning

TrustSec How-To Guide: On-boarding and Provisioning TrustSec How-To Guide: On-boarding and Provisioning For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...

More information

Deploying and Configuring Polycom Phones in 802.1X Environments

Deploying and Configuring Polycom Phones in 802.1X Environments Deploying and Configuring Polycom Phones in 802.1X Environments This document provides system administrators with the procedures and reference information needed to successfully deploy and configure Polycom

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites

More information

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks

More information

IPv6 Security: How is the Client Secured?

IPv6 Security: How is the Client Secured? IPv6 Security: How is the Client Secured? Jeffrey L Carrell Network Conversions Network Security Consultant 1 IPv6 Security: How is the Client Secured? IPv6/IPsec IPsec Challenges IPsec Monitoring/Management

More information

Interoperability between Avaya IP phones and ProCurve switches

Interoperability between Avaya IP phones and ProCurve switches An HP ProCurve Networking Application Note Interoperability between Avaya IP phones and ProCurve switches Contents 1. Introduction... 3 2. Architecture... 3 3. Checking PoE compatibility... 3 4. Configuring

More information

InfoExpress Cyber Gatekeeper. How to quote? Günter Neuleitner. März 2009

InfoExpress Cyber Gatekeeper. How to quote? Günter Neuleitner. März 2009 InfoExpress Cyber Gatekeeper How to quote? Günter Neuleitner März 2009 Agenda 1. Introduction 2. Components 3. Quoting CyberGatekeeper 4. AGENTLESS AND AGENT-BASED 5. Examples 1 Introduction 3 Presentation

More information

Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming

Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming Mobility Task Force Deliverable F Inventory of web-based solution for inter-nren roaming Version 1.1 Authors: Sami Keski-Kasari , Harri Huhtanen Contributions: James

More information

Joe Davies Principal Writer Windows Server Documentation

Joe Davies Principal Writer Windows Server Documentation Joe Davies Principal Writer Windows Server Documentation Presented at Seattle Windows Networking User Group monthly meeting September 1, 2010 Agenda Brief VPN technology overview VPN features in Windows

More information

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series XenMobile Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction... 3 What Is the Cisco TrustSec System?...

More information

PassTest. Bessere Qualität, bessere Dienstleistungen!

PassTest. Bessere Qualität, bessere Dienstleistungen! PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : JN0-314 Title : Junos Pulse Access Control, Specialist (JNCIS-AC) Version : Demo 1 / 6 1.A customer wants to create a custom Junos Pulse

More information

Networking with Windows Server vb. Day(s): 5. Version: Overview

Networking with Windows Server vb. Day(s): 5. Version: Overview Networking with Windows Server vb Day(s): 5 Course Code: M10970 Version: B Overview Get hands-on instruction and practice implementing networking with Windows Server 2012 and Windows Server 2012 R2 in

More information

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design. SSM6435 - Course 6435A: Designing a Windows Server 2008 Network Infrastructure Overview About this Course This five-day course will provide students with an understanding of how to design a Windows Server

More information

Using Windows NPS as RADIUS in eduroam

Using Windows NPS as RADIUS in eduroam Using Windows NPS as RADIUS in eduroam Best Practice Document Produced by the UNINETT-led working group on campus networking Authors: P. Dekkers (SURFnet), T. Myren (UNINETT) February 2015 GÉANT Association

More information

Network-in-a-Box Solution. Services already integrated in the core switch Ideal concept for branch offices, schools or other small business networks

Network-in-a-Box Solution. Services already integrated in the core switch Ideal concept for branch offices, schools or other small business networks Network in a Box Network-in-a-Box Solution Services already integrated in the core switch Ideal concept for branch offices, schools or other small business networks Network-in-a-Box Solution The switch

More information

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction.... 3 What Is the Cisco TrustSec System?...

More information

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks Cisco IT Article December 2013 End-to-End Security Policy Control Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks Identity Services Engine is an integral

More information

Towards End-to-End Security

Towards End-to-End Security Towards End-to-End Security Thomas M. Chen Dept. of Electrical Engineering Southern Methodist University PO Box 750338 Dallas, TX 75275-0338 USA Tel: 214-768-8541 Fax: 214-768-3573 Email: tchen@engr.smu.edu

More information

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

RWL Tech Note Wireless 802.1x Authentication with Windows NPS Wireless 802.1x Authentication with Windows NPS Prepared by Richard Litchfield HP Networking Solution Architect Hewlett-Packard Australia Limited 410 Concord Road Rhodes NSW 2138 AUSTRALIA Date Prepared:

More information

Evolving Network Security with the Alcatel-Lucent Access Guardian

Evolving Network Security with the Alcatel-Lucent Access Guardian T E C H N O L O G Y W H I T E P A P E R Evolving Network Security with the Alcatel-Lucent Access Guardian Enterprise network customers encounter a wide variety of difficulties and complexities when designing

More information

Juniper Networks Unified Access Control (UAC) and EX-Series Switches

Juniper Networks Unified Access Control (UAC) and EX-Series Switches White Paper Juniper Networks Unified Access Control (UAC) and EX-Series Switches Meeting Today s Security Challenges with End-to-End Network Access Control Juniper Networks, Inc. 1194 North Mathilda Avenue

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com SOSPG2 Implementing Network Access Controls Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com Offer Pa Agenda The BYOD Challenges NAC terms The Big Picture NAC Solutions and Deployment What

More information

Cisco TrustSec Solution Overview

Cisco TrustSec Solution Overview Solution Overview Cisco TrustSec Solution Overview 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents Introduction... 3 Solution Overview...

More information

Deploying iphone and ipad Virtual Private Networks

Deploying iphone and ipad Virtual Private Networks Deploying iphone and ipad Virtual Private Networks Secure access to private corporate networks is available on iphone and ipad using established industry-standard virtual private network (VPN) protocols.

More information

User Authentication in the Enterprise Network

User Authentication in the Enterprise Network User Authentication in the Enterprise Network Technology for secure accessibility to Enterprise IT services 2001 Enterasys Networks, Inc. All rights reserved. Steve Hargis Technical Director Office of

More information

Network Security Solutions Implementing Network Access Control (NAC)

Network Security Solutions Implementing Network Access Control (NAC) Network Security Solutions Implementing Network Access Control (NAC) Tested Solution: Protecting a network with Sophos NAC Advanced and Switches Sophos NAC Advanced is a sophisticated Network Access Control

More information

Security. AAA Identity Management. Premdeep Banga, CCIE #21713. Cisco Press. Vivek Santuka, CCIE #17621. Brandon J. Carroll, CCIE #23837

Security. AAA Identity Management. Premdeep Banga, CCIE #21713. Cisco Press. Vivek Santuka, CCIE #17621. Brandon J. Carroll, CCIE #23837 AAA Identity Management Security Vivek Santuka, CCIE #17621 Premdeep Banga, CCIE #21713 Brandon J. Carroll, CCIE #23837 Cisco Press 800 East 96th Street Indianapolis, IN 46240 ix Contents Introduction

More information

End Point Security & Network Access Control

End Point Security & Network Access Control End Point Security & Network Access Control Presented by: Jennifer Jabbusch - Carolina Advanced Digital, Inc. Alan Shimel - StillSecure Darwin Socco - Bracewell & Giuliani LLP Let s Talk About What NAC

More information

EXAM - 70-980. Recertification for MCSE: Server Infrastructure. Buy Full Product. http://www.examskey.com/70-980.html

EXAM - 70-980. Recertification for MCSE: Server Infrastructure. Buy Full Product. http://www.examskey.com/70-980.html Microsoft EXAM - 70-980 Recertification for MCSE: Server Infrastructure Buy Full Product http://www.examskey.com/70-980.html Examskey Microsoft 70-980 exam demo product is here for you to test the quality

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

IF-MAP Use Cases: Real-Time CMDB, and More

IF-MAP Use Cases: Real-Time CMDB, and More IF-MAP Use Cases: Real-Time CMDB, and More Richard Kagan EVP / General Manager Orchestration Systems Business Unit IF-MAP: A Powerful New Standard IF-MAP = Interface to Metadata Access Points An open protocol

More information

Trusted Network Connect (TNC)

Trusted Network Connect (TNC) Trusted Network Connect (TNC) Josef von Helden josef.vonhelden@inform.fh-hannover.de Martin Schmiedel Daniel Wuttke First European Summer School on Trusted Infrastructure Technologies September 2006 1

More information

Network Access Control for Mobile Networks

Network Access Control for Mobile Networks Network Access Control for Mobile Networks Table of Contents Introduction 3 Network access initiatives the candidates 4 Posture-based access control 4 Cisco network access control 5 Microsoft NAP 7 Juniper

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

Using TS-ACCESS for Remote Desktop Access

Using TS-ACCESS for Remote Desktop Access Using TS-ACCESS for Remote Desktop Access Introduction TS-ACCESS is a remote desktop access feature available to CUA faculty and staff who need to access administrative systems or other computing resources

More information

This chapter describes how to set up and manage VPN service in Mac OS X Server.

This chapter describes how to set up and manage VPN service in Mac OS X Server. 6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

More information

Cisco Virtual Office Express

Cisco Virtual Office Express . Q&A Cisco Virtual Office Express Overview Q. What is Cisco Virtual Office Express? A. Cisco Virtual Office Express is a solution that provides secure, rich network services to workers at locations outside

More information

Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI

Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI 1 Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI Tom Lerach Head of IA, HP DoD Rajat Bhargava StillSecure October 2009 Agenda endpoint compliance with NMCI

More information

Designing a Windows Server 2008 Network Infrastructure

Designing a Windows Server 2008 Network Infrastructure Designing a Windows Server 2008 Network Infrastructure MOC6435 About this Course This five-day course will provide students with an understanding of how to design a Windows Server 2008 Network Infrastructure

More information

CCIE Security Written Exam (350-018) version 4.0

CCIE Security Written Exam (350-018) version 4.0 CCIE Security Written Exam (350-018) version 4.0 Exam Description: The Cisco CCIE Security Written Exam (350-018) version 4.0 is a 2-hour test with 90 110 questions. This exam tests the skills and competencies

More information

LifeSize Video Communications Systems Administrator Guide

LifeSize Video Communications Systems Administrator Guide LifeSize Video Communications Systems Administrator Guide November 2009 Copyright Notice 2005-2009 LifeSize Communications Inc, and its licensors. All rights reserved. LifeSize Communications has made

More information

"Charting the Course... ... to Your Success!" MOC 50331 D Windows 7 Enterprise Desktop Support Technician Course Summary

Charting the Course... ... to Your Success! MOC 50331 D Windows 7 Enterprise Desktop Support Technician Course Summary Description Course Summary This course provides students with the knowledge and skills needed to isolate, document and resolve problems on a Windows 7 desktop or laptop computer. It will also help test

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents: Configuring and Troubleshooting Routing and Remote Access 6-1 Module 6 Configuring and Troubleshooting Routing and Remote Access Contents: Lesson 1: Configuring Network Access 6-3 Lesson 2: Configuring

More information

TNC Endpoint Compliance and Network Access Control Profiles

TNC Endpoint Compliance and Network Access Control Profiles TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies andapplications HSR University of Applied Sciences

More information

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org

More information

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement Comprehensive Endpoint Enforcement Overview is a complete, end-to-end network access control solution that enables organizations to efficiently and securely control access to corporate networks through

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information